IT Administrator's Hacking Spree Foiled by $5 McDonald's Purchase

Share

IT Administrator's Hacking Spree Foiled by $5 McDonald's Purchase

An information-technology administrator has pleaded guilty to crippling his former employer's network after FBI agents traced the attack to the Wi-Fi network at a McDonald's restaurant in Georgia. The administrator was caught after he used his credit card to make a $5 purchase at the restaurant about five minutes before the hacks occurred.

Jason Cornish, 37, pleaded guilty Tuesday in New Jersey to crippling the network of Shionogi, a subsidiary of a Japanese pharmaceutical company that has offices in New Jersey and Georgia. Cornish apparently hacked the company after a friend of his was fired from the firm.

According to court documents (.pdf), Cornish used legitimate credentials to log into the company's network Feb. 3 at around 6 a.m., then proceeded to systematically delete the contents of 15 virtual hosts on the network. These included the company's e-mail and BlackBerry servers, as well as its order-tracking system and financial-management software.

"The Feb. 3 attack effectively froze Shionogi's operations for a number of days, leaving company employees unable to ship product, to cut checks, or even to communicate via e-mail," according to the complaint filed against him, which asserted that the hack cost Shionogi about $300,000. That figure rose to $800,000 in later court documents.

Cornish had worked for the company for about a year before resigning in July 2010 over a dispute with a senior manager. After he resigned, his former supervisor and close friend, who is identified in court documents only as B.N., convinced the company to keep Cornish on as a consultant until September 2010, due to his extensive knowledge of the company's network. It was that knowledge that eventually helped him swiftly locate and erase the servers he targeted in his attack.

According to the documents, the company announced layoffs in September that would affect B.N., after which he allegedly refused to hand over certain network passwords to the company. B.N. was subsequently suspended and fired. Cornish later used legitimate network credentials to breach the company's network.

About two weeks before he crippled the network, he used the credentials to install software called vSphere onto Shionogi's network, which he later used to delete the servers. The vSphere software is a tool for managing virtual machines.

Cornish made it easy for the FBI to find him. After examining computer logs for the servers, agents quickly traced the activity to an IP address assigned to a McDonald's in Smyrna, Georgia. Agents found Cornish's Visa credit card number among purchase records at the restaurant.

They also found the same Visa number on documents obtained from Google, which indicated the card number had been "provided in connection" to a Gmail account that Cornish used – identified only as caveman****@gmail.com in the court documents. The court documents don't indicate why exactly Google had Cornish's credit card number, but Google is known to store credit card numbers for users of its Google Checkout payment system, as well as for its online advertising program AdWords.

Cornish had further made it easy for investigators by using his home IP address to install the vSphere software on Shionogi's network as well as to access the Shionogi network about 20 times prior to February. He also used the same network login credentials during these visits from his home that he later used during his attack from McDonald's.

Cornish, who pleaded guilty to one charge under the Computer Fraud and Abuse Act, faces a possible maximum sentence of 10 years in prison and a $250,000 fine. His sentencing is scheduled for Nov. 10.